Spam Catchall
June 10, 2004 10:16 AM Subscribe
SpamFilter (literally): When setting up an email account for my own domain, I'm setting up a catch-all for any spam or emails that might go to *@mydomain.com. Is it a bad idea, especially with spammers, to have an automated response be sent back saying that address does not exist? [MoIn]
My other options are to ignore the emails completely or have them route to a junk folder. I've heard that responding to a spam email just lets them know it's active and to send you more. Does this kind of "email does not exist" response not fall under that? Or am I safer just to ignore them?
My other options are to ignore the emails completely or have them route to a junk folder. I've heard that responding to a spam email just lets them know it's active and to send you more. Does this kind of "email does not exist" response not fall under that? Or am I safer just to ignore them?
Waste of your time. They send out so many emails that even if 1/4 of them make it to real addresses, they are doing good.
Also, a good portion of the spam emails will have fake addresses and if the "no such address" email even makes it anywhere, it will probably be to some random person who did not even send it.
I received 400+ emails one day from annoyed people wanting me to remove them from my porn mailing list, apparently a spammer made a fake address which just happened to be mine. Since then I have received TONS of spam at that address and I did not get any before then.
Spammers are real bastards. Some use HTML tricks to find out if you looked at the email. Such as a small image which loads from their server, which is one of the main reasons I use a client which displays all email as text-only.
Most opt-out links from spammers are bullshit too, they just confirm that you look at your spam emails.
I'd just delete them or send them to a trash folder or whatever.
posted by bargle at 10:36 AM on June 10, 2004
Also, a good portion of the spam emails will have fake addresses and if the "no such address" email even makes it anywhere, it will probably be to some random person who did not even send it.
I received 400+ emails one day from annoyed people wanting me to remove them from my porn mailing list, apparently a spammer made a fake address which just happened to be mine. Since then I have received TONS of spam at that address and I did not get any before then.
Spammers are real bastards. Some use HTML tricks to find out if you looked at the email. Such as a small image which loads from their server, which is one of the main reasons I use a client which displays all email as text-only.
Most opt-out links from spammers are bullshit too, they just confirm that you look at your spam emails.
I'd just delete them or send them to a trash folder or whatever.
posted by bargle at 10:36 AM on June 10, 2004
Response by poster: Good point, bargle. I suppose having a catch-all route to my junk mail folder might expose me to more spam, but if it gets bad, I am able to just ignore them all.
posted by MrAnonymous at 10:42 AM on June 10, 2004
posted by MrAnonymous at 10:42 AM on June 10, 2004
What I do is accept the catchall and bounce specific addresses that receive spam. That way I can easily make up addresses on the fly and then kill them if they fall into the wrong hands.
However, I don't get that much spam.
posted by timeistight at 10:56 AM on June 10, 2004
However, I don't get that much spam.
posted by timeistight at 10:56 AM on June 10, 2004
I vote against having a catchall.
1. Many spammers use fire-and-forget mail sending: that is, they don't know or care whether the spam went to a live address. Some, however, care (perhaps so they can resell the address). Why give them any ammunition?
2. I have a domain name that a really inobservant reader could confuse with another domain name that provides a free web-based e-mail service (as well as the domains of several churches that provide e-mail to their members). And, unsurprisingly, there are a lot of inobservant readers out there, so I wound up getting a lot of misdirected e-mail--not spam (though I get a lot of that too). For a while, I had a catchall address and used filtering to respond to these misdirected messages. But having those messages just bounce is a lot easier (since I started bouncing messages, I haven't received a single "Oh yes I did so send my message to the correct address! What did you do with it, you bastard!?"). You could find yourself in a similar spot.
posted by adamrice at 11:14 AM on June 10, 2004
1. Many spammers use fire-and-forget mail sending: that is, they don't know or care whether the spam went to a live address. Some, however, care (perhaps so they can resell the address). Why give them any ammunition?
2. I have a domain name that a really inobservant reader could confuse with another domain name that provides a free web-based e-mail service (as well as the domains of several churches that provide e-mail to their members). And, unsurprisingly, there are a lot of inobservant readers out there, so I wound up getting a lot of misdirected e-mail--not spam (though I get a lot of that too). For a while, I had a catchall address and used filtering to respond to these misdirected messages. But having those messages just bounce is a lot easier (since I started bouncing messages, I haven't received a single "Oh yes I did so send my message to the correct address! What did you do with it, you bastard!?"). You could find yourself in a similar spot.
posted by adamrice at 11:14 AM on June 10, 2004
I had been using the same method as timeistight to manage my catchall email for my personal domain-- bouncing specific addresses that receive spam-- until about two weeks ago, when I started getting spam addressed to every conceivable username at the domain-- about 10,000 per day. I've since reversed the default behavior and discard mail that is not addressed to a particular e-mail...
While the actual people might appreciate a bounce message sent to a nonexistent mailbox, your mail server may not appreciate having to bounce back hundreds, if not thousands, of spam messages per day.
posted by andrewraff at 11:17 AM on June 10, 2004
While the actual people might appreciate a bounce message sent to a nonexistent mailbox, your mail server may not appreciate having to bounce back hundreds, if not thousands, of spam messages per day.
posted by andrewraff at 11:17 AM on June 10, 2004
I own my own domain as well, and I've found a pretty simple strategy that allows me to easily filter spam out. Most domains allow you to forward *@yourdomain.com to a real e-mail address. Whenever you register at a web site, or give out your e-mail address as websitename@yourdomain.com.
So here at metafilter, my address in my profile is metafilter@mydomain.com. On amazon, it's amazon@mydomain.com.
Doing this makes it really easy to figure out who is selling your e-mail address and just automatically throw away a group of items if an address starts getting spam.
I've had the same domain for about 4 years now, and don't have any special anti-spam software set up. I only get about 3-4 spam messages a day, and these are from businesses that I've got existing relationships with (like my bank) so I don't want to trash all of their messages.
One other thing that I've heard about spammers is that some of them have no compunctions about spamming hotmail/yahoo/aol/etc accounts, but that they will actually filter out domains that aren't bulk e-mail ones as they think that they are business accounts.
posted by freshgroundpepper at 11:36 AM on June 10, 2004
So here at metafilter, my address in my profile is metafilter@mydomain.com. On amazon, it's amazon@mydomain.com.
Doing this makes it really easy to figure out who is selling your e-mail address and just automatically throw away a group of items if an address starts getting spam.
I've had the same domain for about 4 years now, and don't have any special anti-spam software set up. I only get about 3-4 spam messages a day, and these are from businesses that I've got existing relationships with (like my bank) so I don't want to trash all of their messages.
One other thing that I've heard about spammers is that some of them have no compunctions about spamming hotmail/yahoo/aol/etc accounts, but that they will actually filter out domains that aren't bulk e-mail ones as they think that they are business accounts.
posted by freshgroundpepper at 11:36 AM on June 10, 2004
Don't bounce your spam. It just doubles the email traffic for each piece of spam, and most anecdotal evidence indicates that spammers don't care.
I use this method, mainly to have site-specific emails (amazon@, mefi@, etc.) so I can organize correspondence from them more easily. My junk mail filter catches most of the sales@, webmaster@, and other shotgun-style spam. Just route it to your junk mail folder and clean it out occasionally.
posted by mkultra at 11:39 AM on June 10, 2004
I use this method, mainly to have site-specific emails (amazon@, mefi@, etc.) so I can organize correspondence from them more easily. My junk mail filter catches most of the sales@, webmaster@, and other shotgun-style spam. Just route it to your junk mail folder and clean it out occasionally.
posted by mkultra at 11:39 AM on June 10, 2004
I do the same thing as freshgroundpepper and mkultra, and it's excellent. Use it for blog commenting, too. Barely had any spam from weblogs, but every so often I get something from dashes@mydomain.com (from anil's site).
posted by gramcracker at 11:44 AM on June 10, 2004
posted by gramcracker at 11:44 AM on June 10, 2004
Most MTAs (Postfix and Sendmail, for certain) will, by default, provide you with plus-based address expansion, making such *@example.com things unnecessary. The idea is that, after the account name in the e-mail address, a plus sign is inserted, followed by any text at all, and then the rest of the e-mail address.
To try this out, just email yourself at account+whatever@example.com. In my case, my account is waldo(at)jaquith(dot)org, but I can provide the address waldo+amazon(at)jaquith(dot)org to Amazon.com. There's no need for opening yourself up to the Rumpelstiltskin attacks that come of being *@example.com.
posted by waldo at 11:57 AM on June 10, 2004
To try this out, just email yourself at account+whatever@example.com. In my case, my account is waldo(at)jaquith(dot)org, but I can provide the address waldo+amazon(at)jaquith(dot)org to Amazon.com. There's no need for opening yourself up to the Rumpelstiltskin attacks that come of being *@example.com.
posted by waldo at 11:57 AM on June 10, 2004
I received 400+ emails one day from annoyed people wanting me to remove them from my porn mailing list, apparently a spammer made a fake address which just happened to be mine.
I get this often too. A lot of my 'junk' mail is people responding to spam that looks like it was sent from my domain, and automated responses that 'such and such address does not exist'. I just let it all go in to one folder and clear it out once a week.
posted by Steve_at_Linnwood at 12:15 PM on June 10, 2004
I get this often too. A lot of my 'junk' mail is people responding to spam that looks like it was sent from my domain, and automated responses that 'such and such address does not exist'. I just let it all go in to one folder and clear it out once a week.
posted by Steve_at_Linnwood at 12:15 PM on June 10, 2004
The + extension mentioned by waldo has one major disadvantage: it makes it trivially easy for spammers to figure out your real e-mail address and send you mail that won't be tagged with its source and has a far higher chance of getting through your filters.
posted by kindall at 12:30 PM on June 10, 2004
posted by kindall at 12:30 PM on June 10, 2004
kindall, does that actually happen? I've been using a dashext (what qmail calls its support for this, using a '-' instead of a '+') with one of my address for a few years whenever putting my address anywhere it might be crawlable/sellable and I only get spam to nick-something@ addresses. I've wondered before if some spammers will be smart enough to strip the -something making this slight protection worthless but I haven't seen it happen yet.
I mainly only give my address to reputable companies and it isn't on many websites, so has my address just not come to the attention of enough spammers? Or is my use of '-' instead of '+' protecting me for now?
Oh, and MrAnonymous, if you're going to be trying to send bounces to the spammers instead of refusing the email in the first place, my experience is that many bounces will be destined for sites that do refuse the email from your server, since the account of the spammer will have been deleted before you get the email or never existed. Since the spammer's account won't accept the "bad address" DSN, and the reason for the DSN is that there isn't an account on your server, you're going to end up with a bunch of "my bounce bounced" messages from your mail server turning up in your postmaster account (and you'll want to make sure that email to postmaster@ doesn't generate bounces, BTW). And you also need to think about what happens when they list the email as coming from a server that doesn't exist, which can be a problem if you're sending out a lot of bounces, since your mail server will keep each out-going bounce in its queue for a few days and try to send them every now and then.
Here's a guide on setting up a gateway which checks all email against spam-assassin and bounces everything that doesn't pass. It's mainly meant for cases where there is an existing account that just doesn't want spam, but it might have some ideas for you. The older version of the guide covers cleaning out your mail queue to get rid of delayed bounces (I don't know what changed in the new version so it doesn't require the cleaning out).
posted by Nick Tamm at 2:11 PM on June 10, 2004
I mainly only give my address to reputable companies and it isn't on many websites, so has my address just not come to the attention of enough spammers? Or is my use of '-' instead of '+' protecting me for now?
Oh, and MrAnonymous, if you're going to be trying to send bounces to the spammers instead of refusing the email in the first place, my experience is that many bounces will be destined for sites that do refuse the email from your server, since the account of the spammer will have been deleted before you get the email or never existed. Since the spammer's account won't accept the "bad address" DSN, and the reason for the DSN is that there isn't an account on your server, you're going to end up with a bunch of "my bounce bounced" messages from your mail server turning up in your postmaster account (and you'll want to make sure that email to postmaster@ doesn't generate bounces, BTW). And you also need to think about what happens when they list the email as coming from a server that doesn't exist, which can be a problem if you're sending out a lot of bounces, since your mail server will keep each out-going bounce in its queue for a few days and try to send them every now and then.
Here's a guide on setting up a gateway which checks all email against spam-assassin and bounces everything that doesn't pass. It's mainly meant for cases where there is an existing account that just doesn't want spam, but it might have some ideas for you. The older version of the guide covers cleaning out your mail queue to get rid of delayed bounces (I don't know what changed in the new version so it doesn't require the cleaning out).
posted by Nick Tamm at 2:11 PM on June 10, 2004
I've been using a dashext (what qmail calls its support for this, using a '-' instead of a '+') with one of my address for a few years whenever putting my address anywhere it might be crawlable/sellable and I only get spam to nick-something@ addresses.
A hyphen is more often a real character in e-mail addresses than an extension character, I'd wager. No return in stripping that out since it is at least as likely to result in a bad e-mail address as a good one. I don't know if spammers actually do strip off the + extensions, I just said it's trivial to do and that you are in fact giving out your real e-mail address.
you're going to end up with a bunch of "my bounce bounced" messages from your mail server turning up in your postmaster account
No, you're not, because your bounce will have an empty return-path, which means "don't bother bouncing this, it's an automated response." If spammers would only put empty return-paths on their spam, all the bounces they generate would go away.
posted by kindall at 5:04 PM on June 10, 2004
A hyphen is more often a real character in e-mail addresses than an extension character, I'd wager. No return in stripping that out since it is at least as likely to result in a bad e-mail address as a good one. I don't know if spammers actually do strip off the + extensions, I just said it's trivial to do and that you are in fact giving out your real e-mail address.
you're going to end up with a bunch of "my bounce bounced" messages from your mail server turning up in your postmaster account
No, you're not, because your bounce will have an empty return-path, which means "don't bother bouncing this, it's an automated response." If spammers would only put empty return-paths on their spam, all the bounces they generate would go away.
posted by kindall at 5:04 PM on June 10, 2004
The + extension mentioned by waldo has one major disadvantage: it makes it trivially easy for spammers to figure out your real e-mail address and send you mail that won't be tagged with its source and has a far higher chance of getting through your filters.
Of course, spammers are really, really stupid. :) But more important, I only give out a + extended address to hypothetically-legitimate sites, like Amazon or Google or something. I certainly wouldn't figure that I could just stick a plaintext waldo+website(at)jaquith(dot)org and figure that I could just filter that stuff out when spammers crawled my site. That'd work for about an hour. :)
Rumpelstiltskin attacks are so common and irritating that I think you'd be nuts to accept mail to *@example.com -- plus-based expansion is just the next-best thing.
posted by waldo at 7:51 PM on June 10, 2004
Of course, spammers are really, really stupid. :) But more important, I only give out a + extended address to hypothetically-legitimate sites, like Amazon or Google or something. I certainly wouldn't figure that I could just stick a plaintext waldo+website(at)jaquith(dot)org and figure that I could just filter that stuff out when spammers crawled my site. That'd work for about an hour. :)
Rumpelstiltskin attacks are so common and irritating that I think you'd be nuts to accept mail to *@example.com -- plus-based expansion is just the next-best thing.
posted by waldo at 7:51 PM on June 10, 2004
Y'know, in the nine years I've had my domains, I've never had a dictionary attack on any of them. I'm sure that if I do get one, it'll suck mightily, but they don't seem all that common.
posted by kindall at 9:17 PM on June 10, 2004
posted by kindall at 9:17 PM on June 10, 2004
This thread is closed to new comments.
posted by majcher at 10:35 AM on June 10, 2004